Traditional web services that are accessed by a web browse typically utilize hypertext markup language (HTML) and Javascript, which provide the capability to determine legitimate use of the web service, such as presenting Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs) and other challenge questions to the user. However, unlike traditional web services, wireless communication devices often employ mobile applications to communicate with web servers. For example, typical mobile applications pull data down from web servers for display to the user, and also allow the user to modify the data and submit it back to the server.
Mobile applications commonly utilize mobile application programming interfaces (APIs) to communicate with external web services and provide their functionality to the user. The communication between native mobile applications and mobile APIs on the web servers is commonly done using JavaScript Object Notation (JSON), Extensible Markup Language (XML), and other protocols that do not employ security techniques but are simply used to provide an exchange of data between the client and server. Thus, the core application communication between the mobile application and the web service utilizes a mobile API with no security in place to validate the legitimacy of the request.
Although mobile applications are typically designed to run on physical mobile devices, other software-based platforms have been developed that are also capable of running mobile applications, such as standard and non-standard emulators, virtual machines, and host environments, such as web browsers and other operating environments. Unfortunately, such software-based operating environments may be easier to exploit by malicious users to launch security attacks using mobile applications.
Overview
Techniques to facilitate detection of whether or not applications are executed on physical devices are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a computing system. The computing system executes a client security component of the mobile application to collect attributes associated with the computing system and an operating environment on which the mobile application is executing, and utilizes a mobile application programming interface to transfer the web service request including the attributes for delivery to a web server. The web server executes a server security component of a web service to extract the attributes from the web service request and process the attributes to determine whether or not the mobile application is being executed on a physical mobile device.
This Overview is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. It may be understood that this Overview is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.